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Abstract.  The  iterated  Even-Mansour  construction  is  an  elegant  con¬ 
struction  that  idealizes  block  cipher  designs  such  as  the  AES.  In  this 
work  we  focus  on  the  simplest  variant,  the  2-round  Even-Mansour  con¬ 
struction  with  a  single  key.  This  is  the  most  minimal  construction  that 
offers  security  beyond  the  birthday  bound:  there  is  a  security  proof  up 
to  22”/3  evaluations  of  the  underlying  permutations  and  encryption,  and 
the  best  known  attacks  have  a  complexity  of  roughly  2 n/n  operations. 
We  show  that  attacking  this  scheme  with  block  size  n  is  related  to  the 
3-XOR  problem  with  element  size  l  =  2 n,  an  important  algorithmic 
problem  that  has  been  studied  since  the  nineties.  In  particular  the  3-XOR 
problem  is  known  to  require  at  least  2^' 3  queries,  and  the  best  known 
algorithms  require  around  2 ^2/£  operations:  this  roughly  matches  the 
known  bounds  for  the  2-round  Even-Mansour  scheme. 

Using  this  link  we  describe  new  attacks  against  the  2-round  Even-Mansour 
scheme.  In  particular,  we  obtain  the  first  algorithms  where  both  the  data 
and  the  memory  complexity  are  significantly  lower  than  2".  From  a  prac¬ 
tical  standpoint,  previous  works  with  a  data  and/or  memory  complexity 
close  to  2"  are  unlikely  to  be  more  efficient  than  a  simple  brute-force 
search  over  the  key.  Our  best  algorithm  requires  just  An  known  plaintex¬ 
t/ciphertext  pairs,  for  some  constant  0  <  A  <  1,  2n/A n  time,  and  2X" 
memory.  For  instance,  with  n  =  64  and  A  =  1/2,  the  memory  requirement 
is  practical,  and  we  gain  a  factor  32  over  brute-force  search.  We  also 
describe  an  algorithm  with  asymptotic  complexity  0(2"  In2  n/n2),  im¬ 
proving  the  previous  asymptotic  complexity  of  0(2" /n),  using  a  variant 
of  the  3-SUM  algorithm  of  Baran,  Demaine,  and  Patragcu. 

Keywords:  Even-Mansour,  Cryptanalysis,  3-XOR 


1  Introduction 

The  Even-Mansour  construction  m  is  a  very  simple  and  elegant  way  to  design  a 
block  cipher  E  from  a  public  permutation  P,  defined  as  Ek(x)  =  P(x  ©  k\)  ©  k-2- 
In  the  random  permutation  model,  this  construction  has  been  proven  secure  as 
long  as  D  ■  Q  <  2n,  with  n  the  block  size,  D  the  data  complexity  (online  queries 
to  the  encryption  function)  and  Q  the  number  of  evaluation  of  the  permutation 
(offline  queries) .  In  particular,  the  time  T  needed  by  an  attacker  is  lower  bounded 
by  Q,  therefore  attacks  must  satisfy  D  T  >  2”.  We  also  have  a  number  of  attacks 


1 


matching  this  bound,  such  as  [7]  with  chosen  plaintext  or  mi  using  just  known 
plaintext:  when  balancing  online  and  offline  queries,  these  attacks  require  only 
2n/2  queries  and  2n/2  computations  (including  all  the  computations  required 
by  the  attack,  in  addition  to  permutation  queries) .  A  single-key  version  of  the 
Even-Mansour  construction  has  also  been  proposed  with  the  same  security  DE 
defined  as  Ek{x)  =  P(x  ®  k)  ®  k. 

More  recently,  this  construction  was  generalized  to  the  iterated  Even-Mansour 
scheme,  also  called  key-alternating  cipher  [3j.  The  r-round  construction  uses  r 
independent  permutations  and  r  +  1  keys,  and  can  be  considered  as  an  idealization 
of  concrete  SPN  ciphers: 

Ek(x)  =  Pr  ^  •  •  •  P2  (Pi(x  ®  fc0)  ®  ki)  ■  ■  •  ^  ffi  kr 

This  construction  was  first  proven  to  be  secure  up  to  22r!/3  queries  for  r  >  2  [3], 
and  later  improved  to  2nr^r+1')  queries  mm- 

As  in  the  single-round  case,  the  requirement  to  have  independent  keys  and 
independent  permutations  can  be  relaxed  without  reducing  the  security.  In 
particular,  two  single-key  variants  of  the  2-round  Even-Mansour  have  been 
proposed  [5]: 

EMIP  :  Ek{x)  =  P2  (Pi  (x  ffi  k)  ®  k)  ®  k 

EMSP  :  Ek(x)  =  P{P{x  ffi  k)  ffi  7 r(fc))  ffi  k ,  with  7r  a  linear  orthomorphism. 

The  EMIP  construction  uses  two  independent  permutations,  while  the  EMSP 
construction  uses  a  single  permutation,  and  a  fixed  linear  orthomorphism  (a 
linear  operation  such  that  both  x  1— >  ir(x)  and  x  1— >  x  ffi  7r(:r)  are  invertible,  such 
as  multiplication  by  a  constant  in  a  field). 

There  are  simple  key-recovery  attacks  matching  the  2nrAJ'+1)  bound  on  the 
number  of  queries  given  in  [3],  but  even  with  r  =  2  the  best  known  attacks 
require  about  2 n/n  operations  (in  addition  to  the  queries).  Attacks  against  the 
3- round  Even-Mansour  construction  have  also  been  given  in  [5],  with  complexity 
close  to  2 n/n,  and  no  attack  better  than  2"  is  known  for  r  >  3. 

In  this  paper  we  focus  on  the  most  simple  instances,  the  2-round  variants  of 
EMIP  and  EMSP,  collectively  denoted  as  2EM,  and  we  look  for  better  attacks 
than  what  is  currently  known,  with  a  focus  on  low  memory  and  low  data. 
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Fig.  1.  Single  key  two-round  Even-Mansour  scheme  (2EM)  EMIP  variant 
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Previous  works.  The  first  non-trivial  attack  against  an  iterated  Even-Mansour 
construction  was  described  by  Nikolic,  Wang,  and  Wu  in  m  against  the  two- 
round  EMIP  construction  P2{P\{x  ®  k)  ®  k)  ®  fc,  using  multi-collisions.  The 
main  idea  is  to  consider  the  function  <fi  :  u  K >  Pi  ( u )  ®  u,  and  to  evaluate  it  on  a 
large  number  of  points,  so  as  to  identify  a  particular  value  v  that  occurs  more 
frequently  than  others  (at  least  t  times).  Then,  for  each  known  plaintext  pair 
( x,E(x )),  the  attacker  assumes  that  </>(x  ®  k)  =  v,  i.e.  P\{x  ®  k)  ®  k  =  x  ®  v; 
this  gives  a  key  candidate  P2{x  ®  v)  ®  E(x).  Since  the  assumption  holds  for  at 
least  t  values  of  x,  the  expected  complexity  is  2 n/t. 

According  to  the  asymptotic  analysis  performed  in  [IS],  the  optimal  choice  is 
to  set  t  =  0(n/  Inn).  A  value  with  this  number  of  repetitions  is  expected  after 
evaluating  <fi  roughly  2 n/n  times,  so  that  the  total  complexity  of  this  attack  is 
2"  In  n/n,  asymptotically  smaller  than  2”. 

This  attack  was  later  improved  by  Dinur,  Dunkelman,  Keller  and  Shamir  Pi .  In 
particular,  they  describe  a  variant  with  lower  online  complexity  using  Nv  different 
values  Vi  that  appear  t  times  each,  with  a  smaller  value  of  t.  Each  online  pair 
(x,  E(x))  is  then  used  to  make  a  key  guess  with  every  v^,  which  reduces  the  data 
complexity  to  2 n/Nvt.  They  didn’t  evaluate  this  strategy  asymptotically,  but  they 
computed  that  Nv  =  2 n\xte~t /t\  multi-collisions  should  be  found,  when  evaluating 
a  fraction  /r  of  the  domain.  In  particular,  with  fi  =  1/n  and  t  =  o(n/  Inn),  we 
have  an  upper  bound  on  the  data  complexity:  2 n/Nv  <  n2t  =  exp(2f  Inn),  which 
is  asymptotically  smaller  than  2Xn  for  any  A  >  0.  The  time  complexity  is  still 
2 n/t.  Variants  of  the  attack  that  can  applied  to  Even-Mansour  schemes  with  a 
linear  key-schedule,  such  as  EMSP  are  also  given  in  [9j. 

Dinur  et  al.  also  proposed  attacks  against  a  more  general  construction  with  3  in¬ 
dependent  keys,  using  multi-collisions  to  find  differential  properties  of  the  random 
permutation.  However  this  attack  only  reaches  time  complexity  0(2n  / \Jn/  Inn). 

All  those  attacks  require  a  large  pre-processing  step  to  discover  multi-collisions: 
a  f-collision  is  only  expected  after  evaluations  of  (f> .  Moreover,  the  best 

known  algorithm  to  locate  multi-collisions  requires  a  memory  of  size  2  n(t~2)/t  m- 
Therefore,  multi-collision  based  techniques  intrinsically  require  time  and  memory 
close  to  2"  (asymptotically,  we  need  to  have  t  approaching  infinity  in  order  to 
gain  a  non-constant  advantage  over  brute-force  attacks). 

In  the  journal  version  of  their  paper,  Dinur  et  al.  show  an  interesting  side- 
result  on  EMIP.  They  describe  an  alternative  attack  with  low  memory  using 
linear  algebra  j9]  Section  4.2].  In  this  attack,  they  evaluate  cj) :  u  i-»  P\{u)  ffi  u  on 
a  small  set  of  An  values  (0  <  A  <  1/3),  and  they  look  for  linear  relations  that  are 
satisfied  by  all  </(n)  in  the  set:  L(cj)(u))  =  0  with  n  —  An  equations.  Then,  for  a 
given  plaintext  pair  (x,E(x)),  if  x  ®  k  is  in  the  set,  this  implies  linear  relations 
on  z  =  fc®Pi(x®/c),  the  input  of  P2:  L(z)  =  L(x).  Finally,  using  structures  for  x 
and  z,  a  match  can  be  identified  using  linear  relations  on  the  key  (following  from 
the  assumption  that  x  ®  k  is  in  the  set),  using  k  =  P2{z)  ®  E(x).  The  full  details 
of  the  attack  are  given  in  [S].  This  attack  only  requires  a  memory  of  size  2Xn  to 
store  the  structures,  but  it  requires  2n /An  chosen  plaintext  pairs.  However,  this 
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approach  is  not  applicable  to  3EM  or  2EM  with  independent  keys,  which  are  the 
main  focus  of  their  work. 

More  recently,  Isobe  and  Shibutani  [3]  introduced  Meet-in-the-Middle  tech¬ 
niques  to  attack  the  2-round  Even-Mansour  construction.  The  basic  variant  of 
their  attack  uses  a  function  /  depending  on  a  bits  of  the  key  kf  (with  a  in 
the  order  of  Inn),  and  a  function  g  depending  on  the  remaining  n  —  a  bits  kg. 
Furthermore,  they  use  a  starting  point  such  that  a  output  bits  of  /  are  actually 
independent  of  the  key  kf.  This  allows  them  to  do  the  matching  over  P2  using 
just  kg.  The  attack  requires  time  and  data  2n~a,  with  chosen  plaintexts. 

The  function  /  is  such  that  it  is  equivalent  to  looking  for  partial  multi¬ 
collisions  in  <f>  while  imposing  a  structure  on  the  inputs:  they  fix  n  —  a  bits  of  u 
and  hope  that  a  outputs  bits  of  (j>(u)  will  be  independent  of  the  remaining  a  bits 
of  u.  For  this  to  work  the  parameter  a  must  satisfy  a  ■  (2a  —  1)  <  n  —  a,  and  Isobe 
and  Shibutani  only  give  concrete  parameters  for  some  values  of  n.  Asymptotically, 
the  maximal  value  of  a  can  be  found  by  solving  a  ■  (2a  —  1)  =  n  —  a;  since  a  n 
and  1  <gC  2a,  we  have  a  ~  W(n  In  2)/  In  2  «  log  n  —  log  log  ra,  using  the  Lambert 
W  function. 

They  also  describe  a  low-data  complexity  variant  of  the  attack,  where  the 
starting  point  is  dynamically  chosen  so  that  a  +  d  bits  of  the  plaintext  are  fixed. 
This  reduces  the  data  complexity  to  2n~d~a ,  while  the  time  complexity  is  still 
2 n~a  The  parameters  are  more  constrained  and  must  satisfy  a  ■  2a  +  d  <  n  —  a. 
If  we  want  to  achieve  a  data  complexity  of  2Xn  for  a  constant  0  <  A  <  1,  we  can 
set  d  =  n  —  A n,  and  a  =  log  A  +  log  n  —  log  log  n.  This  gives  a  time  complexity  of 
2"  log  n/Xn. 

Finally,  they  give  a  time-optimized  attack  where  b  =  a  +  c  output  bits 
of  /  are  independent  of  kf  (instead  of  just  a).  This  reduces  the  number  of 
queries  and  memory  needed  for  the  matching  to  2n~b ,  but  the  attack  still 
requires  2n~a  memory  accesses  and  chosen  plaintext.  The  parameters  must 
satisfy  b  ■  2a  +  b  —  a  <n~  b,  but  the  authors  only  give  concrete  values  for  some 
choices  of  n,  and  no  asymptotic  analysis.  However,  we  can  observe  that  we  must 
have  b  ■  2a  <  n;  in  particular,  if  we  want  an  attack  with  an  advantage  that  is  not 
asymptotically  bounded,  we  need  to  have  a  approaching  infinity  and  therefore 
b/n  approaching  zero  (this  attack  cannot  reduce  the  memory  to  2Xn  with  A  <  1). 
In  particular,  the  optimal  parameters  satisfy  b  ■  2a  +  b  —  a  =  n  —  b,  with  b  <^C  n 
and  a  <SgC  2a,  hence  b  ■  2“  «  n.  Therefore  we  have  a  complexity  of  roughly  2ra~b 
in  queries  and  memory,  and  b2n/n  in  time  and  data,  with  logn  <  b  n. 

All  those  attacks  are  summarized  in  Tables  [l]  and  [2]  We  point  out  that  the 
complexity  reported  in  m  is  lower  than  listed  here,  because  the  authors  assume 
that  a  memory  access  to  a  large  table  is  significantly  cheaper  than  the  evaluation 
of  the  public  permutations  Pi.  Given  that  a  public  permutation  can  obviously  be 
implemented  with  a  table  lookup  if  memory  is  fast  and  cheap,  we  assume  that  a 
memory  access  to  a  table  of  size  roughly  2ra  cannot  be  faster  than  the  evaluation 
of  the  Pi  permutations. 
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Table  1.  Comparison  of  attacks  against  2EM.  Asymptotic  complexity,  up  to  constants. 
“Data”  denotes  encryption  queries,  while  “Queries”  denotes  calls  to  the  public  permuta¬ 
tions  Pi. 

0  <  A  <  1;  logn  <  /3  <gC  n;  KP:  Known  plaintext;  CP:  Chosen  plaintext. 


Ref 

Data 

Queries 

Time 

Memory 

Comment 

m 

2n  In  n/n 

KP 

2"  In  n/n 

2n  In  n/n 

2n  In  n/n 

Multi-collisions 

IS! 

2n  Win  n/n  CP 

2”  ^/lnn/n 

2”y/ln n/n 

2n  iJXnn/n 

Diff.  m-c  (indep.  keys) 

LS 

2a" 

KP 

2"  In  n/n 

2"  In  n/n 

2n  In  n/n 

Multi-collisions 

m 

2n/A  n 

CP 

2”/An 

2"/A  n 

2Xn 

Linear  algebra 

.IE! 

2n  In  n/n 

CP 

2”  In  n/n 

2"  In  n/n 

2n  In  n/n 

MitM 

2a  11 

CP 

2”  In  n/n 

2”  In  n/n 

2n  In  n/n 

MitM 

2n/3/n 

CP 

2n/2p 

2  n/3/n 

2n/2/3 

MitM 

s. 

3.3 

n 

KP 

2  n/s/n 

2"/Vh 

2n  /  i/n 

3X0  R  HU 

s. 

4T 

2d 

KP 

2 n  —  d/2 

2  n/n 

2 n  —  d/2 

Clamping  +  3XOR  0 

s. 

O 

2d 

KP 

2 n  —  d/2 

2"  In2  n/n2 

2 n  —  d/2 

Clamping  +  3XOR  |Tj 

s. 

O 

An 

KP 

2n/\ n 

2™/A  n 

2  Xn 

Low  Data  Filter 

Our  results.  The  main  results  of  the  paper  are  the  three  key-recovery  attacks 
on  EMIP  given  in  Section  [4]  whose  complexities  are  summarized  in  Tables  [l]  and  [2j 
To  the  best  of  our  knowledge  these  are  the  first  attacks  on  EMIP  to  significantly 
reduce  simultaneously  the  data  and  the  memory  complexities  below  2™.  The 
first  attack,  Section  |4.1|  shows  that  we  can  achieve  the  best  computational  time 
complexity  known  so  far,  that  is  0(2n /n),  while  using  just  as  much  data  and 
queries  as  the  best  known  distinguisher  which  is  optimal  in  the  balanced  case 
(22n/3  calls  to  E ,  Pi  and  P2)  with  a  memory  usage  not  exceeding  the  number 
of  queries.  The  next  attack  in  Section  4.3  works  exactly  the  same  way  only  it 
is  using  another  generic  3-XOR  algorithm  which  improves  the  asymptotic  time 
complexity  to  0(2n  In2  n/n 2)  that  beats  the  best  one  known  so  far.  However  this 
3-XOR  algorithm  is  believed  to  be  impractical  for  realistic  block  sizes,  notably  for 
n  =  64.  And  the  third  attack  in  Section [4. 4| uses  very  low  data,  An,  and  possibly 
low  memory,  2Xn,  for  some  A  <  1  while  keeping  a  competitive  asymptotic  time 
complexity  of  0{2n /\n). 


We  also  present  some  security  reduction  notably  showing  that  adding  a  linear 
key  schedule  does  not  protect  against  generic  attacks  on  EMIP.  This  effectively 
extends  the  scope  of  our  attacks  in  particular  showing  they  can  also  be  applied 
to  the  EMSP  variant.  We  also  explain  the  link  between  the  3-XOR  problem  and 
the  key-recovery  attacks  on  EMIP  showing  how  one  can  help  us  solve  the  other 
which  justifies  our  approach.  Then  we  exhibit  a  symmetry  in  the  Even-Mansour 
construction  that  shows  how,  in  the  chosen  ciphertext  attack  (CPA)  model,  an 
attacker  can  always  swap  the  number  of  queries  he  is  making  to  E,  Pi  and  P2 
to  optimize  on  the  most  available  resources.  This  implicitly  extends  these  and 
previous  attacks  to  adapt  to  many  different  data  and  query  complexity  profiles. 
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Table  2.  Comparison  of  attacks  against  2EM  with  n  =  64.  The  complexity  unit  is 
one  evaluation  of  the  cipher;  we  assume  that  computing  Pi  or  P2  costs  1/2,  and  that  a 
memory  access  to  a  large  table  also  costs  1/2.  The  time  complexity  also  includes  the 
time  necessary  to  generate  the  data. 


Ref 

Data 

Queries 

Time 

Memory 

Comment 

m 

258.7 

KP 

260.5 

260.9 

260 

Multi-collisions 

m 

245 

KP 

260.7 

260.7 

36° 

Multi-collisions 

m 

260 

CP 

259 

260.6 

216 

Linear  algebra 

M 

26° 

CP 

260 

261.3 

260 

MitM 

2s 

CP 

262 

262.6 

262 

MitM 

261 

CP 

2S7 

261-7 

2S8 

MitM 

Sec. 

3.3 

26 

KP 

261 

262 

261 

3XOR 

Sec. 

1.1 

242 

KP 

243 

2S8 

242 

Clamping  +  3XOR  [J,  bal.  case 

2 14 

KP 

2S7 

258.6 

2S7 

optim.  data 

Sec. 

4.2 

235 

CP 

2S7 

258.6 

235 

optim.  memory  &  swap  E  -o-  Pi 

Sec. 

1.3 

242 

KP 

243 

N.A. 

N.A. 

Clamping  +  3X0  R  [T],  bal.  case 

Sec. 

4.4 

25 

KP 

2S9 

260 

232 

Low  Data  Filter  A  =  1/2 

24 

KP 

260 

261 

216 

A  =  1/4 

Lastly  we  generalize  our  approach  to  show  that  a  single  key  r  rounds  Even- 
Mansour  scheme  can  be  rewritten  as  a  structured  (r  +  l)-XOR  problem  with 
words  of  size  rn.  Interestingly  both  the  single  key  r  rounds  Even-Mansour  and  the 
(r  +  l)-XOR  problem  with  words  of  size  rn  have  a  simple  information  theoretic 
solver  using  27+T  queries  though  solving  these  uses  more  computations  than  a 
brute-force  solution  for  r  >  4. 

Practical  considerations.  In  a  practical  setting,  the  data  complexity  and  the 
memory  complexity  are  important  considerations.  In  particular,  an  attack  with 
complexity  2 n/n  is  unlikely  to  be  more  efficient  than  a  brute- force  attack  if  it 
requires  almost  2”  data,  or  almost  2”  memory.  As  mentioned  above,  some  of  the 
previous  attacks  can  reduce  the  data  complexity  to  2A”  for  an  arbitrary  A  >  0, 
and  the  attack  from  [HI  Section  4.2]  can  reduce  the  memory  to  2A",  but  so  far 
none  of  them  can  simultaneously  reduce  the  data  and  memory  complexity  below 
2A”  for  A  <  1. 

Besides,  multi-collision  based  attacks  can  use  a  sequential  memory  (such  as 
a  hard  drive)  and  sort  values  to  locate  collisions  while  the  Meet-in-the-Middle 
attacks  require  random  access  memory,  with  0(2”  In  n/n)  accesses  to  a  table  of 
size  0(2”  In  n/n). 

On  the  other  hand  the  linear  algebra  techniques  we  use  in  our  attacks  will 
require  algorithmic  tricks  very  close  to  what  was  done  by  Bouillaguet,  Delap  lace 
and  Fouque  [3|  for  the  3-XOR  problem.  In  particular  the  values  we  deal  with  are 
sufficiently  random  to  be  sorted  linearly  and  the  right  matrix  multiplication  in 
GF(2)  LM  for  an  exponentially  large  matrix  L  can  be  computed  with  a  number  of 
operations  linear  in  the  size  of  L.  Many  constant  time  optimizations  are  therefore 
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omitted  in  this  work  which  justify  that  right  multiplications,  sorting  and  merging 
two  big  lists  Li  and  L2  take  time  and  space  0(\Lx\  +  \L2\).  This  is  consistent 
with  previous  cryptanalysis  on  EMIP. 

For  the  cost  of  queries  to  the  oracles  E ,  P\  and  P2  we  mainly  follow  the 
convention  established  by  Dinur  et  al.  [iS]  which  states  that  an  online  query  to 
E  costs  1  unit  of  computation  implying  that  P\  and  P2  cost  1/2.  The  main 
advantage  is  that  it  makes  it  easy  to  compare  with  the  brute-force  solution 
that  would  use  2"  computations.  The  disadvantage  is  that  it  makes  it  hard  to 
combine  with  the  computations  used  for  simple  operations:  an  evaluation  of  a 
cryptographically  secure  permutation  should  cost  more  than  a  XOR  operation. 

We  give  concrete  complexity  values  for  n  =  64  in  Table  [2]  with  the  assumption 
that  a  combination  of  some  linear  time  operations  does  not  exceed  the  cost 
of  computing  a  permutation  that  is  1/2  time  unit.  Concretely,  iteratively  right 
multiplying,  sorting  and  merging  two  lists  L i,  L2  costs  |Li|/2  +  \L2\/2.  We  believe 
this  makes  an  honest  comparison  with  previous  works  though  they  may  use  other 
assumptions. 

Organization  of  the  paper.  First,  in  Section  [2]  we  show  some  reductions  that 
extend  our  results  and  justify  our  approach.  Then  in  Section  [3]  we  take  a  close 
look  on  previous  works  done  on  the  3- XOR  Problem  to  show  how  it  can  help  the 
cryptanalysis  of  EMIP.  Lastly,  in  Section  [4]  we  devise  three  dedicated  algorithms 
for  EMIP  each  having  their  own  particular  complexity  trade-off.  Also  we  extend 
our  approach  in  Appendix  [5]  to  the  r  rounds  iterated  Even-Mansour  construction. 

Notations.  We  denote  the  block  size  of  the  Even-Mansour  scheme  (i.e.  the 
width  of  the  public  permutations)  as  n,  and  the  concatenation  of  n-bit  blocks 
x  and  y  as  x  ||  y.  When  x  and  y  fit  together  in  one  block,  we  use  x\y  to  denote 
their  concatenation.  We  use  L[i]  to  denote  element  i  of  list  L,  xu\  to  denote  bit  i 
of  x,  to  denote  bits  i  to  j  —  1,  0  to  denote  a  zero  GF(2)  matrix  and  I  to 
denote  an  identity  GF(2)  matrix.  When  L  is  a  list  of  i  n-bit  values,  we  identify  it 
with  a  f  x  b  matrix  where  the  elements  of  L  are  the  rows  of  the  matrix.  Finally, 
we  use  a  curly  brace  for  systems  of  equations. 

2  Security  Reductions 

We  start  with  some  general  observations  about  the  security  of  iterated  Even- 
Mansour  schemes.  In  particular,  we  show  that  we  can  focus  on  the  EMIP  con¬ 
struction  without  loss  of  generality,  how  to  reduce  the  security  of  this  construction 
to  an  instance  of  the  3- XOR  problem,  and  how  to  reorder  the  oracles  to  achieve 
many  different  trade-offs. 

Some  previous  works  already  implicitly  took  advantage  of  such  reductions. 
For  example  Isobe  and  Shibutani  m  realised  that  their  recent  attack  on  EMIP 
is  also  applicable  to  EMSP  and  Dinur  et  al.  [5]  realised  that  they  could  reorder 
the  oracles  for  their  cryptanalysis  of  reduced  round  LED.  We  formally  show  here 
that  these  tricks  are  in  fact  real  security  reductions  and  do  not  depend  on  the 
approach  used. 
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2.1  Removing  the  Key  Schedule 


There  are  several  variants  of  single-key  multiple-round  Even-Mansour  studied  in 
the  literature.  The  most  general  form  uses  two  independent  permutations,  and 
an  arbitrary  key  schedule  (see  Figure  [2]): 

Ek(x)  =  P2(Pi(x  ®  7o(fc))  ®  7i(*0)  ©  72(fc)- 

According  to  the  analysis  of  0 ,  there  is  a  class  of  good  key  schedules  where  the 
7*’s  are  public  linear  bijective  functions.  In  the  following,  we  focus  on  this  class 
of  key  schedules,  i.e.  we  assume  that  the  7 *  €  GI^F??).  In  order  to  simplify  the 
analysis,  we  reduce  the  security  of  this  construction  to  the  security  of  the  EMIP 
variant  without  a  key  schedule. 


70  (&)  71  (&)  72  (k) 


Fig.  2.  Linear  key-schedule  2-round  Even-Mansour. 


The  main  trick  is  to  rewrite  the  addition  of  the  subkey  ji(k)  as  the  application 
of  the  inverse  7E  ,  the  addition  of  k  and  the  application  of  the  forward  7 p. 

x  ©7,;(fc)  =  7i(78-1(:r  ©7i(/c))) 

=  'Yi(%1(x)®k) 

which  works  thanks  to  7 *  being  linear.  Then  we  define  E1,  P[,P2  as  follows: 
p[{ x)  =  li1  (pi(lo{x)))  P2(x)  =  7^  (-^(71 0*0))  E'(x)  =  72_1(E(7o(a;))) 

Thanks  to  the  previous  relation,  E’ .  P\ ,  P!2  is  actually  an  instance  of  EMIP  with 
the  same  key  k  (see  Figure  [3J : 

E'(x)  =  P2{P[{x  ©  k)  ©  k)  0  k. 

Therefore,  any  attack  against  EMIP  can  be  used  on  E' ,  P[ .  P.'2 ,  and  break  the 
initial  construction  with  a  key  schedule.  In  particular,  a  key-recovery  attack 
against  EMIP  will  recover  the  key  of  the  more  general  scheme  of  2EM. 

In  the  following  we  only  consider  the  EMIP  variant  without  a  key  schedule, 
but  thanks  to  this  reduction  our  attacks  can  be  applied  to  many  other  2EM 
variants,  including  the  EMSP  construction  of  [5j. 

Definition  1  (EMIP  key  recovery).  Given  oracle  access  to  three  permuta¬ 
tions  E,Pi,P2  and  their  inverses,  with  the  promise  that  there  exist  k  such  that 
E{ x)  =  P2(Pi(x  ©  k)  ©  k )  ©  k,  recover  k. 


k  k  k 


Fig.  3.  Reduction  of  linear  key  schedule  2EM  to  EMIP. 


2.2  Reduction  to  3-XOR 

Instead  of  directly  focusing  on  a  key-recovery  attack,  we  focus  on  locating  a  triplet 
of  values  x,  y,  z  such  that  the  encryption  of  x  is  evaluated  with  permutation  call 
Pi(y)  and  £2(2).  Formally,  we  say  that  x,  y,z  is  a  right  triplet  when  y  =  x(Bk  and 
2  =  P\{y)  ®  k.  A  right  triplet  corresponds  to  a  sequence  of  intermediate  values 
in  the  Even-Mansour  encryption,  as  shown  in  Figure  0  (x,y  =  x®k,P1(y),z  = 
P\{y)  ©  k,  P2{z),E(x)  =  P2{z)  ©  k) ;  we  call  this  sequence  a  path. 


x  - 0 -  V 


Pi  ~Pi(y) - 4 -  ^ 


P2  -P2(z) - 0 - >E(x) 


Fig.  4.  A  right  triplet  gives  a  path  of  EMIP 


Since  the  permutations  Pi  and  P2  are  public,  it  is  easy  to  compute  a  path 
given  the  key.  Recovering  the  key  from  a  path  is  also  easy  (we  have  k  =  x  (By), 
but  it  is  hard  to  identify  a  right  triplet  corresponding  to  a  path  without  the  key. 
By  definition  a  triplet  is  right  when  it  follows  the  relation  1Z  defined  as: 


lZ{x,y,z) 


x  ©  y  =  k 

Pi  ( y)®z  =  k 

P2(z)  ©  E(x)  =  k 

(1) 

x  ©  y  =  Pi  (y)  ©  z 
x  ©  y  =  P2(z)  ©  E(x) 

(2) 

Notice  that  we  can’t  directly  observe  (jTJ)  since  we  don’t  know  k  but  we  can  easily 
verify  the  implied  relation  ([2]). 
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We  claim  that  if  one  takes  a  random  triplet  combination  and  observes  that  it 
respects  ©>  then  it  is  a  right  triplet  with  good  probability.  Indeed  there  are  2n 
possible  paths  (one  for  every  possible  input  x)  implying  as  many  right  triplets 
and  23n  possible  triplet  combinations;  thus  a  random  triplet  will  be  right  with 
probability  2~2n .  Since  ©  is  a  2n-bit  relation,  a  random  but  false  triplet  respects 
([2])  also  with  probability  2~2n.  Therefore  we  can  expect  roughly  as  many  right 
triplets  than  false  triplets  that  respect  |2]),  thus  the  first  one  we  find  is  right  with 
probability  12(1).  So  from  now  on  and  for  simplicity  we  will  focus  on  filtering 
and  recovering  a  triplet  that  simply  respects  ([2]) .  This  means  that  our  algorithms 
fails  to  recover  the  key  on  some  instances,  but  they  have  a  constant  (non-zero) 
probability  of  success.  In  order  to  improve  the  success  probability  arbitrarily 
close  to  one,  it  is  easy  to  test  the  triplets,  and  continue  the  attack  until  we  find  a 
right  triplet  (alternatively,  the  whole  attack  can  just  be  repeated). 

In  order  to  simplify  the  analysis,  the  condition  ©  can  be  rewritten  as: 

I  (x  )  ©  (y®Pi(y))  ©  (z  )  =  0 
{  (x  ©  E(x))  ©  (y  )®(P2(z))=  0 

Therefore,  finding  a  triplet  satisfying  ©  is  equivalent  to  solving  an  instance  of 
the  3-XOR  problem,  defined  as: 

fo{x)  :=  x  ||  x©  £(2:)  (3) 

h(y)  ~y®Pi(y)  ||  y 

h{z)  ■-  z  ||  P2(z) 

The  3-XOR  Problem  is  a  well  known  algorithmic  problem;  it  is  a  special  case 
of  fc-XOR  problem  analyzed  by  Wagner  as  the  generalized  birhtday  problem  pO]. 

Definition  2  (3-XOR  problem).  Given  three  functions  /o,/i,/2,  find  three 
inputs  (xq,Xi,x2)  such  that  fo(xo)  ©  fi(%i)  ©  fi(x 2)  =  0. 

We  usually  focus  on  functions  fi,  fi,  f2  that  are  chosen  at  random.  Equiva¬ 
lently,  we  can  be  given  lists  L$,  Li,  L2  (of  random  elements)  instead  of  functions. 
The  presentation  with  functions  makes  it  more  clear  that  the  adversary  can 
choose  how  many  queries  he  makes  to  each  of  the  functions. 

EMIP  Key  Recovery  from  the  3-XOR  Problem.  From  the  previous  discus¬ 
sion,  solving  the  3-XOR  instance  defined  by  |3|  gives  a  triplet  satisfying  1Z,  which 
has  a  high  probability  of  being  a  right  triplet  and  revealing  the  key.  Evaluating 
each  of  the  fi  functions  requires  a  single  computation  of  a  permutation.  However 
evaluating  fo  must  be  done  online  (using  an  oracle  call  to  E)  because  it  depends 
on  the  key,  while  evaluating  fi  and  f2  can  be  done  offline  as  the  permutations  are 
public  and  computable  at  will  by  the  attacker.  As  per  our  adopted  convention, 
an  evaluation  of  fi  — that  is  a  call  to  E  — costs  1  unit  of  computation  and  an 
evaluation  of  fi  or  f2  costs  1/2. 

We  denote  the  list  of  values  of  fi  evaluated  by  an  attacker  as  Li.  Therefore, 
the  data  complexity  of  an  attack  is  equal  to  D  =  \Lq\.  The  time  complexity  is  the 
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amount  of  computation  required  to  break  the  scheme.  In  the  computational  model, 
it  will  depend  on  the  algorithm  used  and  be  denoted  as  T .  In  the  information 
theoretic  model  we  only  look  at  the  number  of  calls  to  the  permutations  and 
denote  it  Q ,  with  Q  =  {\Li  \  +  \L2\) /2.  We  will  discuss  both  models. 

As  seen  from  the  description  in  ([3]),  we  can  choose  some  parts  of  the  values 
in  Li .  However,  if  we  only  use  random  values  of  x,y,z  to  build  the  lists,  we 
obtain  a  random  3-XOR  instance  with  words  of  size  w  =  2 n.  It  is  known  that  to 
find  a  solution  of  a  3-XOR  problem  with  good  probability,  the  lists  size  should 
respect  \Lq\  x  \L\\  x  |i2|  >  2™.  In  the  information  theoretic  setting  this  gives 
a  key  recovery  attack  with  D  x  Q2  =  22n.  This  is  the  exact  same  complexity 
trade-off  as  the  information  theoretic  distinguisher  described  by  Gazi  [T3].  In 
particular  it  is  known  that  this  trade-off  is  proven  optimal  in  the  balanced  case 
D  =  Q  =  22"/3  0. 

2.3  Symmetry  between  E,  Pi  and  P2 

In  the  3-XOR  problem  the  3  functions  behave  essentially  in  the  same  way;  if  one 
has  a  solver  using  a  few  evaluations  fo  and  lots  of  evaluations  of  /i  and  /2,  then 
the  same  solver  could  decide  to  use  lots  of  queries  to  fo  and  / 1  and  use  fewer 
/2  queries  (just  by  permuting  the  functions).  In  our  case,  a  natural  choice  is  to 
minimize  the  number  of  evaluations  of  fo,  because  they  correspond  to  online 
queries.  This  ensures  that  we  have  D  <  Q.  While  this  is  easy  to  do  with  a  3-XOR 
approach,  it  is  not  obvious  whether  this  can  be  done  in  general  for  an  Iterated 
Even-Mansour  key  recovery.  We  now  show  that  in  the  chosen  ciphertext  setting 
an  attacker  can  actually  permute  the  functions  E,  Pi  and  P2,  and  minimize  the 
amount  of  online  queries. 

We  assume  that  we  are  given  an  instance  E,  Pi,  P2  of  EMIP,  i.e.  we  have 
oracle  access  to  E,  Pi,  P2  denoting  forward  computations  of  the  permutations, 
and  F_1,  Pif1,  Pf1  denoting  backward  computations.  We  use  a  black-box  solver 
S(E,  E_1 ,  Pi,  Pf1 ,  P2,  Pf1)  that  uses  a  calls  to  E/E -1  (online  queries),  /3  calls 
to  Pi/Pf 1  and  7  calls  to  P2/P2-1  and  outputs  the  key  k. 

The  trick  is  that  we  can  rewrite  the  EMIP  instance  E,  Pi,  P2,  by  permuting 
the  oracles.  For  instance  we  have  Pi(x)  =  k  ®  P2_1(fc  ®  E(k  ®  x))  (directly  from 
the  definition  of  E ),  which  gives  the  following  EMIP  instance  with  the  same 
secret  key  k : 


E’  =  PX  P[=E  P2  =  P2_1. 

Therefore,  we  can  use  the  solver  as  S{Pi,Pf1,E,E~1,Pf1,P2)  to  recover  k 
using  /3  online  queries.  Similarly,  we  can  write  P2{x)  =  k  ®  E{k  ®  P1”1(fc  ®  x)); 
therefore,  we  can  use  the  solver  as  S(P2,  P2-1,  Pf1,  Pi,  E,  F-1)  to  recover  k  using 
7  online  queries. 

We  could  further  use  E~l  to  rewrite  Pf1  and  P2_1  in  the  same  fashion  and 
obtain  all  the  possible  trade-off  between  a,  13  and  7.  The  point  is  that,  given  any 
solver  S,  it  is  always  up  to  the  attacker  to  choose  what  is  the  most  accessible  data. 
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From  here  onward  all  of  our  discussed  trade-off  will  have  |Lo|  <  rnin(|L-|  ,  |L2|) 
to  lower  the  query  complexity  but  one  can  remember  it  is  an  arbitrary  choice. 

In  particular,  this  trick  can  be  applied  to  the  attack  of  IS]  Section  4.2].  Indeed, 
this  attack  uses  A n  queries  to  P±,  with  0  <  A  <  1/3  and  2"/A n  queries  to  E  and 
P2.  Using  this  trick  we  can  reduce  the  data  complexity  from  2™/A n  to  An,  without 
affecting  the  other  parameters.  Actually,  the  attack  presented  in  Section  |4.4|  can 
be  seen  as  an  improved  variant  of  this  modified  attack  (using  known  plaintext 
rather  than  chosen  plaintext). 

3  2EM  Attacks  from  3-XOR  Algorithms 

In  this  section  we  explore  the  link  between  2EM  key  recovery  and  the  3-XOR 
problem.  First,  we  review  existing  approaches  to  solve  the  3-XOR  problem,  and 
we  show  that  previous  2EM  attacks  can  be  reinterpreted  in  a  3-XOR  framework. 
Then  we  describe  new  attacks  against  2EM  based  on  the  reduction  of  the  previous 
Section.  In  this  section,  we  focus  on  a  generic  3-XOR  instance  given  by  three 
tc-bit  function  fo,  fi  and  /2,  or  three  lists  Lq,  L±,  P2. 


3.1  3-XOR  Algorithms 

The  Birthday  Problem,  that  is  the  problem  of  finding  collisions  among  two  lists, 
has  been  well  studied  and  proven  useful  in  a  number  of  cryptanalysis.  In  2002, 
Wagner  proposed  a  natural  extension  of  this  problem,  the  Generalized  Birthday 
Problem  [2Qj,  that  is  the  problem  of  finding  collisions  among  k  lists.  Here  we 
refer  to  this  problem  as  the  fc-XOR  problem.  In  particular  Wagner  left  the  hard 
case  of  k  =  3  as  an  open  problem.  His  best  algorithm  would  just  take  one  value 
of  the  first  function  and  solve  the  classical  Birthday  Problem  among  the  two 
others,  with  complexity  2W /2. 

Subsequent  works  tried  to  address  this  open  problem.  Two  main  approaches 
managed  to  improve  the  time  complexity  of  the  3-XOR:  an  approach  based  on 
partial  multi-collisions  by  Nikolic  and  Sasaki  [18]  and  an  approach  using  linear 
algebra  by  Joux  m-  Unfortunately,  those  two  solutions  seem  hard  to  combine. 

Multi-collisions  Algorithms.  Nikolic  and  Sasaki  HH3  introduced  a  multi¬ 
collision  algorithm  for  the  3-XOR  problem  as  follows.  First,  compute  many 
outputs  of  fo  and  look  for  the  most  frequent  ru/2-bit  prefix  a  appearing.  Store 
all  the  values  with  this  fixed  prefix  in  a  list  L q  (a  partial  multi-collision  for  fo). 
Then  evaluate  f±  and  /2,  2W/2  /  ^/\L0\  times  each,  and  store  the  results  in  lists  L\ 
and  U2.  Sort  the  lists,  and  look  for  pairs  with  a  difference  a  in  the  first  w/2  bits. 
An  average,  there  should  be  2W/2 /\L0\  such  pairs,  and  there  is  a  high  probability 
that  one  of  them  sums  to  a  value  in  Lq.  According  to  their  analysis,  the  optimal 
attack  uses  around  2 w!2  fw  evaluations  of  fo,  resulting  in  a  multi-collision  of  size 
0(w/  lnf-tc));  therefore  this  algorithm  solves  the  3-XOR  problem  with  complexity 
O  (2W!2  !  \Jwj  ln(w)) . 
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Linear  algebra.  The  second  approach,  introduced  by  Joux  m,  uses  linear 
algebra  and  reaches  a  slightly  better  complexity  of  0( 2W!1 2  /  yfw).  This  attack 
uses  just  w/2  evaluations  of  f0  stored  in  a  list  L0,  and  2W!2  /  w /2  evaluations 
of  /i  (resp.  f2 )  stored  in  a  list  Li  (resp.  L2).  Instead  of  collecting  values  in  L0 
with  a  common  prefix,  we  use  Gaussian  reduction  to  find  a  non-singular  matrix 
M  such  that  the  elements  of  Lq  •  M  start  with  w/2  zeroesj^Then  we  focus  on  a 
modified  3-XOR  instance: 

Lq  =  L0  •  M  L[  =  Li  ■  M  L'2  =  L2-M. 

The  new  instance  has  the  same  solutions  (L’0[h]  ®  L’^i]  ®  L2[j ]  =  0  <t=>  L0[h]  ® 
Li[i ]  ®  L2[j]  =  0),  but  the  elements  of  L0  start  with  w/2  zeroes.  Therefore,  as  in 
the  previous  attack,  we  can  efficiently  find  the  solution  after  sorting  the  lists  L\ 
and  L2. 

This  approach  was  later  generalized  by  Bouillaguet,  Delaplace  and  Fouque  [1], 
in  order  to  deal  with  instances  of  the  3-XOR  problem  where  the  size  of  the  lists 
is  limited:  given  three  lists  with  \L0\  ■  |Li|  •  |L2|  =  2W,  they  solve  the  3-XOR 
problem  with  complexity  C(|Lo|  •  (|Li|  +  |L2|)/ic).  In  particular,  with  three  lists 
of  size  2W /3  this  gives  a  time  complexity  of  0(22w/3 /w). 

In  addition,  this  algorithm  can  be  combined  with  the  clamping  trick  of 
Bernstein  to  reduce  the  memory:  the  attacker  first  filters  the  lists  Li  to  keep  only 
values  that  start  with  w/A  zero  bits,  and  solves  a  shorter  3-XOR  instance  on 
3u>/4  bits.  If  the  initial  lists  have  2W/2  elements,  the  filtered  lists  still  have  2U'/4 
elements,  which  is  sufficient  to  expect  a  solution.  This  gives  an  algorithm  with 
time  0( 2W!2)  and  memory  only  0{2W /3).  Arguably,  this  is  more  practical  that 
algorithms  using  0(2W/2 /w)  memory. 

BDP  Algorithm.  Even  before  these  two  approaches,  Baran,  Demaine  and 
Patragcu  [I]  proposed  an  algorithm  for  the  3-SUM  problem  (using  modular  addi¬ 
tions  instead  of  XORs)  with  the  asymptotical  complexity  of  0(2W !2  ■  In 2(w)/w2). 
This  algorithm  has  been  adapted  to  the  3-XOR  problem  by  Bouillaguet  et  al.  [Jj 
with  the  same  complexity.  This  is  best  known  asymptotic  complexity  for  the 
3-XOR  problem,  even  though  the  algorithm  is  highly  impracticable  for  real¬ 
istic  values  of  w.  We  nevertheless  use  this  algorithm  to  cryptanalyse  2EM  in 
Section  14.31 


3.2  Revisiting  Previous  Cryptanalysis 

Interestingly  all  attacks  so  far  on  2EM  use  the  same  techniques  as  devel¬ 
oped  against  the  3-XOR  problem.  Most  of  the  attack  are  based  on  multi¬ 
collisions  mm ,  and  the  MitM  attack  by  Isobe  and  Shibutani  [H]  can  also  be 
interpreted  as  looking  for  a  structured  partial  multi-collision,  as  seen  in  Section  [Tj 
On  the  other  hand,  the  attack  from  [5],  Section  4.2]  uses  linear  algebra. 

1  For  instance,  we  write  Lq  as  a  block  matrix  [A  £>]  with  two  w/2xw/2  sub- matrices. 

If  B  is  non-singular,  we  can  use  M  =  [  B-iA  s-i  ] 
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Using  the  Reduction  to  3-XOR.  As  explained  in  Section  |2.2[  we  can  use 
an  attack  against  3-XOR  to  build  a  key-recovery  against  2EM  in  a  generic  way. 
In  particular,  this  reduction  gives  attacks  similar  to  the  known  attacks  on  2EM 
if  we  start  from  multi-collision  algorithms  to  solve  3-XOR.  More  precisely,  the 
reduction  leads  to  a  3-XOR  instance  with  w  =  2 n,  defined  as: 

fo(x)  :=  x  ||  x  ®  E(x)  <[3j) 

hiv)  ~y®Pi(y )  II  y 

fi (a)  :=  ^  ||  P2{z) 

If  we  directly  apply  the  previous  algorithm  the  time  complexity  will  be 
0(2n/-^/n/ln(n)).  Concretely  the  most  natural  way  would  be  to  search  for 
prefix  multi-collisions  offline  in  fi  as  it  is  computationally  intensive.  Because 
of  the  definition  of  /j,  the  second  half  y  won’t  repeat  but  (y  ®  Pi(y))  should 
repeat  roughly  as  often  as  a  random  function  (assuming  that  Pi  is  a  random 
permutation) .  Indeed  previous  works  |19I8J  also  use  repetitions  in  the  values  of 
(y  ffi  Pi(y))  in  their  attacks. 

Improved  Attack  from  Multi-collisions.  We  can  actually  improve  this  attack 
and  obtain  an  attack  equivalent  to  the  previous  works  from  pm  by  using  the 
special  structure  of  the  3-XOR  instance  <§■  After  building  a  partial  multi¬ 
collision  Li  with  <9(n/ln(n))  values  of  fi  starting  with  a,  we  look  for  pairs  with 
(/o(*)  ®  f2(z))  [0:J  ,  =  a.  Because  of  the  structure  of  /o  and  f2,  we  can  just  use 
z  =  x(Ba  for  each  known  plaintext  x.  Therefore  we  have  |Lo|  =  \Li\  pairs  partially 
colliding  to  a  predefined  value.  Each  couple  gives  a  full  collision  if  the  second 
n-bit  part  corresponds  to  one  of  the  elements  in  L 1;  this  happens  with  probability 
n/ln(n)  •  2~n.  Thus  this  attack  requires  lists  of  size  D  =  Q  =  0(2n/(n/  ln(n))) 
in  order  to  succeed  with  high  probability  in  the  KPA  model. 

We  see  that  because  we  can  choose  parts  of  the  inputs  our  problem  may  be 
easier  than  the  purely  random  3-XOR  case.  However  generic  algorithms  are  a 
good  start  to  find  dedicated  cryptanalysis  of  2EM.  Moreover,  the  best  known 
attacks  against  2EM  mm  can  actually  be  reinterpreted  in  this  way. 

In  this  paper,  we  will  give  new  attacks  against  2EM  starting  from  this  3-XOR 
presentation,  and  using  algorithms  based  on  the  linear  algebra  approach. 


3.3  A  Key  Recovery  Algorithm 

Now  we  describe  a  key  recovery  algorithm  simply  using  the  linear  algebra  3- 
XOR  algorithm  by  Joux  [13  on  the  3-XOR  instance  obtained  by  the  reduction 
from  2EM.  Using  this  algorithms  as  a  black  box,  we  have  a  time  complexity 
of  <D(2n/y/n)  (since  w  =  2 n).  This  is  not  as  good  as  the  best  known  2EM  key 
recovery,  but  this  will  lay  the  ground  for  the  more  efficient  algorithms  in  Section  [4j 
The  full  attack  can  be  written  as  Algorithm  GA: 

GA1.  Compute  fi(y)  =  (y  ®  P\{y))  ||  y  for  Q  different  values  y  and  store  them 
in  L\. 
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GA2.  Compute  f2(z)  =  z  ||  P2(z)  for  Q  different  values  3  and  store  them  in  L2. 

GA3.  Observe  and  find  a  set  of  n  pairs  of  plaintext/ciphertext  (x,E( x))  such 
that  all  {fo(x)  =  x  ||  (x  ®  E(x))}  are  linearly  independent  and  store 
x  ||  (x  ®  E(x))  in  L0. 


GA4.  See  Lq  as  a  n  x  2n  matrix.  Use  column  reduction  to  find  a  2n  x  2n 
transformation  matrix  M  s.t.  LqM  =  [0nx„  ||  In\^\ 

GA5.  Right-multiply  the  lists  with  the  transformation  matrix: 

L'q  L0M;  L\  <-  L1M;  L'2  L2M. 


GA6.  Sort  and  find  partial  collisions  in  L\  and  L2  on  the  first  n— bit  half.  For 
each  partial  collisions  L\  [i]  ©  L'2  [j]  check  whether  the  second  n-bit  half 
differs  only  on  the  hth  bit  for  some  h.  If  yes  go  to  GA7  If  no  solution 
found,  algorithm  fails. 


GA7.  A  solution  to  the  3-XOR  problem  (L0[h],  Li[i],  L2[j])  has  been  found. 
Output  k  =  x  ©  y  with  x  the  first  half  of  Lq  [h]  and  y  the  second  half  of 
Li[i\. 


The  main  idea  is  that,  since  the  transformation  matrix  M  is  linear,  solving 
the  3-XOR  problem  for  L’0,  L\,L'2  yields  the  same  solutions  as  L0,Li,L2.  Using 
the  transformed  lists  is  easier  as  we  exploit  the  fact  that  L’0  =  [0nxn  ||  Jnxn] 
which  is  always  possible  to  ensure  after  step  |GA3 

Step  |GA3|  will  cost  only  n  queries  as  n  random  words  of  size  2 n  will  be 
linearly  independent  with  very  high  probability.  Note  that  because  we  just  need 
to  observe  these,  this  attack  works  in  the  KPA  setting. 


Analysis.  The  query  complexity  Q  is  also  the  size  of  the  lists  L i  and  L2.  There 
are  Q2  pairs  each  XORing  to  one  of  the  n  elements  of  L0  with  probability  n/22n 
as  they  are  taken  randomly.  Thus  the  probability  of  step  |GA6|  succeeding  is 
(n  •  Q2)/22n. 

Therefore  for  a  constant  success  probability  we  fix  (n  •  Q2)/ 22"  =  (9(1). 
This  leads  to  the  following  complexities:  Q  =  0(2n /\/n),  T  =  0(2n/y/n)  and 
D  =  0{n). 


We  recall  here  that  sorting  random  values  and  performing  a  right  matrix 
multiplication  L\M  (resp.  L2M )  on  an  exponentially  large  Li  are  both  computed 
in  time  linear  with  the  size  of  Li  jlj.  As  for  the  computation  of  M,  it  is  of 
polynomial  time  in  n  and  therefore  negligible. 

Q  is  the  query  complexity  and  we  find  the  relation  DQ2  =  22n  as  expected. 
Memory-wise  we  need  to  store  the  full  lists  L\  and  L2  so  the  memory  complexity 
will  also  be  Q  =  0(2n /^Jn). 

Steps  [gaTI  and  [GA2]  concentrate  all  the  permutation’s  evaluations  but  can 
be  done  as  a  pre-processing  step. 


2  We  write  Lq  =  [A  71  j .  If'  B  is  non-singular,  we  can  use  M  =  [  B-iA  s-i  ] 
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4  Improved  Attacks  from  the  3-XOR  Problem 

In  the  previous  section  we  saw  how  tools  to  solve  the  3-XOR  problem  could 
prove  very  useful  for  the  2EM  key  recovery  attacks.  But  the  cryptanalysis  allows 
us  to  do  some  tweaks  and  have  better  results  than  simply  applying  the  generic 
solutions. 

In  this  section  we  will  first  show  how  to  add  a  simple  filter  to  Algorithm  GA 
to  mount  an  attack  following  the  trade-off  curve  DQ2  =  22n  while  improving 
the  time  complexity  of  T  =  2 n/n  (matching  the  best  known  2EM  attacks)  and 
memory  not  exceeding  Q.  We  also  show  how  using  the  same  filter  but  with 
the  BDP  algorithm  adapted  for  the  3-XOR  can  give  the  best  asymptotic  time 
complexity  so  far,  T  =  0(2  though  that  largely  remains  theoretical. 

Then  we  describe  a  very  low-data  and  low-memory  key  recovery  attack  that 
essentially  tweaks  the  previous  Algorithm  GA  to  a  version  that  uses,  for  some 
parameter  0  <  A  <  1,  few  queries,  D  =  An,  time  Q  =  T  =  2n/Xn  and  memory 
2Xn.  This  actually  beats  the  best  information  theoretic  distinguisher  known  so 
far  in  this  range  of  very  low  data  ( DQ 2  <  22™). 

4.1  Clamping  to  a  Smaller  3-XOR  Instance 

We  first  describe  an  efficient  algorithm  with  a  large  trade-off  space  with  parameter 
D  =  |L0|  =  2d  and  Q  =  \Li\  =  \L2\  =  2n~d!2  and  time  complexity  0(2n/ri) 
(independently  of  D  and  Q).  This  algorithm  is  built  from  the  3-XOR  algorithm 
of  g] ,  but  we  take  advantage  of  the  structure  of  the  3-XOR  problem  to  reduce 
the  time  complexity  below  0(2n / sfn)  (reached  by  Algorithm  GA).  Indeed,  our 
3-XOR  instance  is  given  as: 

fo(x)  :=  x  ||  £  ©  E(x)  <[3j) 

h(y)  -=y®Pi(y)  II  y 
/2(z)  :=  2  II  P2(z) 

We  can  use  a  variant  of  the  clamping  trick  of  Bernstein  [5]  to  simplify  this 
instance.  For  a  parameter  d,  we  consider  the  2n~d /2  values  y  with  y[o-.d/2]  =  0 
and  we  evaluate  fi  on  those  values.  This  gives  a  list  L\  with  |Li|  =  2n~d !2  such 
that  all  values  have  d/2  zero  bits  (Ti[i][n:n-M/2]  =  0).  Similarly,  we  consider  all 
values  z'  with  =  0,  and  we  evaluate  f-2  on  z  =  P2"1(z/)  to  build  a  list  L2 

with  A2[j][ra:n+d/2]  =  0.  Finally,  we  consider  2d  known  plaintexts  x,  and  we  keep 
the  values  with  {x  ©  E(x))  [0.d/2]  =  0  in  a  list  L0.  We  expect  to  have  |A0|  =  2d/2. 
We  now  have  three  lists  with  Li[u\[n:n+d/ 2]  =  0,  so  we  can  consider  this  as  a 
3-XOR  problem  on  w  =  2n  —  d/2  bits.  We  have  \Lq\  ■  \Li  \  ■  \L2\  =  22n~d/2  =  2W; 
therefore  there  is  on  average  one  solution,  and  the  algorithm  of  Bouillaguet  et 
al.  g]  finds  it  with  complexity  O(\L0\  ■  (|Li|  +  \L2\)/w)  =  (D(2n/n). 

When  writing  the  full  details,  we  have  Algorithm  CL: 

CL1.  Compute  fi(y)  =  (y  ©  Pi(y))  ||  y  for  all  y  such  that  2/[o:rf/2]  =  0.  Remove 
bits  [n:  n+  d/2 ]  (fixed  to  0)  and  store  the  (2 n  —  d/2)-bit  values  in  L\. 
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CL2.  Compute  f2(P21(z'))  =  II  z>  f°r  z'  such  that  -2[0.d/2]  =  0- 

Remove  bits  [n  :  n  +  d/2]  (fixed  to  0)  and  store  the  (2 n  —  d/2)-bit  values 
in  L'2- 

CL3.  Until  a  solution  is  found  do: 


CL3.1.  Capture  and  filter  a  set  of  n  pairs  of  plaintext/ciphertext  ( x,E(x )) 
such  that  (x  ®  E(x))[0:d/2]  =  0  and  all  {/o(*)  =  x  ||  (x  ©  E(x))}  are 
linearly  independent.  Remove  bits  [n  :  n  +  d/ 2]  (fixed  to  0)  and  store 
the  (2 n  —  d/2)-bit  values  in  Lq. 


CL3.2.  See  Lo  as  an  n  x  (2 n  —  d/2)  matrix.  Use  column  reduction  to  find 
the  (2 n  —  d/2)  x  (2 n  —  d/2)  transformation  matrix  M  such  that 
LqM  =  [0nx(n—d/2)  II  In]- 

CL3.3.  Right-multiply  the  lists  with  the  transformation  matrix: 

Lq  <-  L0M-  Li  <-  LiM;  V2  <-  L2M. 


CL3.4.  Sort  and  find  partial  collisions  in  L/  and  L2  on  the  first  ( n  —  d/2)-bit 
prefix.  For  each  partial  collisions  L\  [i]  ©  L',2  [j]  check  whether  the  second 
n-bit  part  differs  only  on  the  hth  bit  for  some  h.  If  yes  go  to  |CL4|  If 
no  solution  found,  loop  on  |CL3| 


CL4.  A  solution  to  the  3-XOR  problem  (L0[h\,  Li[i],  L2[j])  has  been  found. 
Output  k  =  x  ©  y  with  x  the  first  n-bit  of  L0[h]  and  y  made  of  d/2  zeros 
followed  with  the  last  n  —  d/2  bits  of  Li[*]. 


In  steps  CL1  and  CL2  we  only  fixed  the  d/2  first  bits  so  that  we  have  lists 
of  size  2n~d/'2.  Step  CL2  still  constructs  the  usual  L2  as  a  collection  of  z  ||  Eiiz) 
only  we  need  to  fix  the  values  of  P2{z)  =  z'  and  compute  the  value  z  =  P2"1(2/) 
using  the  inverse. 

Then  all  of  this  works  very  much  like  Algorithm  GA  the  main  difference  begin 
at  step  CL3.1  where  we  filter  the  observed  pairs.  Indeed  we  look  for  a  triplet 
such  that  x  ©  y  =  z'  ©  E(x)  so  fixing  bits  of  y  and  z'  fixes  bits  of  (x  ©  E(x)). 


4.2  Complexity  Analysis 

Data  Complexity.  The  data  complexity  depends  on  the  number  of  plaintex¬ 
t/ciphertext  pairs  we  will  expect  to  observe  before  we  find  a  solution.  One  way 
to  see  it  is  to  count  the  number  of  observable  right  triplets.  Initially  there  are 
2n  right  triplets  but  we  restrict  ourselves  to  triplets  such  that  y[o-.d/2]  =  0  and 
P2(~)[ o:d/2l  =  0,  a  d-bit  filter,  so  on  average  will  remain  2n~d  right  triplets.  There¬ 
fore  the  moment  we  observe  an  x  belonging  to  one  of  these  right  triplets  it  will 
necessarily  pass  the  filter,  give  a  solution  and  finish  the  algorithm.  This  happens 
with  probability  2n~d/2n  =  2~d  therefore  we  expect  solution  after  D  =  2d  pairs 
(x,  E(x)). 

Memory  Complexity.  The  largest  lists  in  memory  are  L\  and  L2  that  require, 
in  the  balanced  case,  0(2n~d /2)  blocks  of  memory. 
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Query  Complexity.  The  offline  query  complexity  is  also  the  size  of  L i  and 
L2 ,  that  is  2n-d/2  =  Q.  In  particular,  we  use  as  much  data  as  the  best  known 
distinguisher  with  D  ■  Q2  =  2".  Notice  that  for  the  balanced  case  D  =  Q  =  22"/3 
this  attack  is  optimal  in  the  information  theoretic  model  as  Chen  et  al.  [5]  proved 
that  0( 22™/3)  is  a  lower  bound. 


Time  Complexity.  First  we  need  to  compute  both  lists  L\  and  L2  requiring  to 
compute  2"-d/2  permutations  each  (this  can  be  a  precomputation).  We  expect 
the  algorithm  to  succeed  after  2d  pairs  (x,E(x))  with  good  probability.  Thanks 

only  2d/2  pairs  are  expected  to  be  processed  by 

before  we  finish. 


CL3.1 


CL3 


to  the  d/2-bit  filter  in  step 

batches  of  n  values.  Therefore  we  expect  to  do  2 d/2/n  loops 
Each  loop  consists  of  computing  a  small  transformation  matrix,  applying  it  to 
the  big  lists  Li  and  L2 ,  sorting  them  and  looking  for  prefix  collisions.  All  of  these 
costs  are  linear  in  the  lists  size,  2n-d/2,  or  in  the  number  of  expected  (n  —  d/ 2)-bit 

that  is  \L\\  ■  \L2\/2n~d/2  =  2n-d/2.  Therefore  each 


CL3.4 


prefix  collisions  in 

loop  costs  0( 2n~d'z)  and  is  expected  to  be  performed  2 dt'2 /n  times  for  a  total 
computational  time  complexity  of  T  =  0(2n/n).  This  computational  time  is 
independent  of  d. 


Discussion.  Algorithm  CL  achieves  a  computational  time  complexity  of  T  = 
2 n /n  while  using  as  much  information  as  the  best  known  information  theoretic 
attack  with  D  ■  Q2  =  22".  In  particular  this  is  information  theoretically  optimal 
in  the  balanced  case  D  =  Q  =  22ra/3  that  is  for  d  =  2n/3.  This  attack  works 
with  known  plaintexts,  and  there  is  no  obvious  way  to  improve  it  using  chosen 
plaintext. 

For  most  of  the  choices  of  d,  evaluations  of  the  cipher  and  the  permutations  is 
not  the  dominant  cost  of  the  algorithm.  In  this  analysis  we  assume  that  operations 
on  n-bit  words  and  memory  access  to  lists  L\  and  L2  cost  9{  1)  evaluations  of  the 
cipher,  but  if  we  assume  instead  that  they  cost  much  less  than  one  evaluation 
(as  done  in  El)  the  attack  is  even  more  interesting. 

To  optimize  the  memory  complexity  that  is  2n~d^2 ,  we  need  to  choose  a  fairly 
high  value  d.  In  that  case  the  data  complexity  D  =  2d  becomes  problematic 
but  we  can  swap  the  number  of  online  call  to  E  with  the  number  of  offline 
calls  to  Pi ,  effectively  swapping  /o  and  /i,  thanks  to  the  symmetry  highlighted 
in  Section  2.3  This  gives  a  data  and  memory  complexity  of  2n-d/2,  a  query 
complexity  of  Q  =  2n-d/2-1  +  2d~1  and  the  time  remains  T  =  0(2n/n).  This 
becomes  a  Chosen  Plaintext  attack  because  step  CL1  requires  to  choose  part 
of  inputs.  Concrete  values  for  n  =  64  for  such  trade-off  are  given  in  Table  [2] as 
"optim.  memory  &  swap  E  -o-  Pi". 


4.3  Using  Baran-Demaine-Patragcu’s  3-SUM  Algorithm 

Since  the  previous  algorithm  just  uses  a  3-XOR  algorithm  as  a  black  box  after 
clamping,  we  can  also  use  it  with  the  BDP  algorithm  adapted  to  3-XOR  jlj.  In 
fact,  any  3-XOR  algorithm  could  be  used  after  clamping  which  implies  that  an 
improved  random  3-XOR  algorithm  would  lead  to  an  improved  2EM  cryptanalysis. 
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This  adapted  BDP  algorithm  has  a  better  asymptotic  complexity,  with  a  speed-up 
2 

of  lna'^  compared  to  the  quadratic  algorithm. 

This  results  in  a  key-recovery  attack  against  2EM  with  asymptotic  time 
complexity  0(2n  ■  In 2(n)/n2).  This  is  asymptotically  better  than  the  best  known 
2EM  key  recoveries.  However,  as  shown  in  it  is  not  practical  for  realistic  word 
sizes  w.  Indeed  the  dominant  term  in  the  complexity  of  the  BDP  algorithm  is 
0(\Lo\.\Li\/m2)  with  m  =  <9(n/ln(n)).  Following  the  analysis  of  Bouillaguet 
et  al .,  we  have  more  concretely  m  ~  n/(112 ln(n)).  Therefore,  in  order  to  have 
m2  >  n,  we  would  need  n  >  2.75  x  106. 

4.4  Very  Low  Data  Algorithm 

The  previous  Algorithm  CL  can  reach  a  low-data  complexity  (with  a  small 
parameter  d)  that  would  be  a  multiple  of  n,  or  a  relatively  low-memory  complexity 
(close  to  2™/2  with  a  large  d),  and  having  both  close  to  2n/2  requires  chosen 
plaintexts.  We  now  describe  a  new  algorithm  that  combines  a  very  low-data 
complexity  and  a  low  memory.  This  algorithm  uses  only  D  =  \n  known  plaintexts 
for  0  <  A  <  1,  and  has  a  time  complexity  T  =  0(2n/Xn)  while  using  only  a 
memory  of  size  2Xn.  Moreover,  we  have  D  ■  Q  =  2”  and  D  ■  Q2  =  (D(22n /Xn), 
that  is  the  best  information  theoretical  trade-off  so  far  between  online  and  offline 
queries. 

This  will  be  algorithm  LD  with  parameter  0  <  A  <  1  (typically,  we  have 
A  =  1/2): 

LD1.  Observe  and  find  a  set  of  A n  pairs  of  plaintext/ciphertext  ( x,E(x ))  such 
that  all  {( x  ®  E(x))[n_ An:n]}  are  linearly  independent  and  store  fo{x)  = 
x  ||  (x  ©  E{x))  in  L0. 

LD2.  See  L0  as  a  three  concatenated  An- line  matrices: 

n  n—Xn  An 

Define  the  n  x  n  small  transformation  matrix  Ms: 


I  o' 

,  _ _ i 

I 

O' 

C^B  C~l 

Ms  = 

B 

c 

and  the  2n  x  2 n  big  transformation  matrix  M: 


I 

0 

'  I  0  0 

( Ms 

'  0  ' 

)  Ms 

_ 

0/0 

A 

C~lA  C~XB  C~x 

LD3.  Right-multiply  the  list  Lq  with  the  big  transformation  matrix: 
L'0<-L0M=lO^ 

n  n—Xn  An 

LD4.  Until  a  solution  is  found  pick  a  new  (n  —  A?r)-bit  value  a  and  do: 
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LD4.1.  For  all  An-bit  value  u  compute  /i( [a \ u]-Ms  1)  =  [ a\u]-Ms  1®-Pi([a|it]- 
Ms_1)  ||  [a|n]  •  M~x.  Store  them  in  L\. 

LD4.2.  For  all  An-bit  value  u  compute  /2(P2_1([aM  '  Afs-1))  =  ' 

M~l)  ||  [o|n]  •  M~l.  Store  them  in  L2 

LD4.3.  Modify  the  lists  with  the  big  transformation  matrix: 

L[  <-  LiM;  L'2  <-  L2M. 

Note  that  all  elements  of  L[  and  L'2  have  bits  [n  :  n  +  An]  set  to  a. 

LD4.4.  Sort  and  find  partial  collisions  in  L\  and  L'2  on  the  first  n-bit  half. 
For  each  partial  collisions  L\  [i]  ®  L2[j]  check  whether  the  second  half 
differs  on  a  single  bit  h  with  n  —  An  <  h  <  n.  If  yes  go  to  |LD5|  If  no 
solution  found,  continue  to  loop  on  |LD4l 

LD5.  A  solution  to  the  3-XOR  problem  (L0[h  —  (n  —  An)],  L\  [i],  L2{j\)  has  been 
found.  Output  k  =  x  ®y  with  x  the  first  half  of  L0[h  —  (n  —  An)]  and  y 
the  second  half  of  L\[i\. 


We  again  use  the  property  that  finding  a  solution  for  the  3-XOR  in  the 
modified  lists  yield  the  same  solution  in  the  original  lists. 

With  the  way  we  defined  the  big  transformation  matrix  M  in  LD2|and  the  fact 
that  wc  applied  Mj1  to  the  inputs  in  steps 
step 


LD4.3 


LD4.1 


and 


LD4.2 


when  we  perform 


i  we  get  the  values  /i( [a \ it]- Ms  1)-M  =  [a\u}-Ms  i®Pi([a|n]-Ms  1)( 
(0|(u-A))||[a|u]  and  f2(P21([a\u\-M-1))-M  =  P2_1([a|zi]-Ms-1)®(0|('u-A))||[a|u] 


stored  in  L\  and  L'2  respectively.  Thus  the  right-hand  side  of  both  lists  reverts 
to  the  form  {a|u}  with  fixed  a  and  for  all  u.  Therefore  we  get  an  (n  —  An)-bit 
collision  for  free  on  a  matching  with  zeroes  in  Lq. 


4.5  Complexity  Analysis 

For  this  attack,  in  each  loop  we  pick  a  value  a  and  build  Li,  L2  of  size  2Xn.  Then 
we  have  a  solution  among  the  22Xn  pairs  if  one  of  them  XORs  to  one  of  the  An 
values  of  Lq.  Since  we  have  a  collision  on  (n—  An)-bit  value  a  for  free,  one  couple 
gives  a  solution  with  probability  An  •  2~(n+Xn\  Thus  each  loop  gives  a  solution 
with  probability  22An  •  An  •  2-(n+An)  =  A n  ■  2Xn~n.  For  a  constant  probability  of 
success  we  will  need  to  perform  around  2  ^  iterations. 


Data  Complexity.  Step  |LD1|  completely  determines  the  data  complexity  of 
the  algorithm.  We  capture  An  plaintext/ciphertext  pairs  and  we  get  a  linearly 
independent  set  of  values  with  good  probability.  Therefore  D  =  An  is  the  data 
complexity. 


Memory  Complexity.  The  list  Lq  and  the  matrices  take  a  space  polynomial  in 
n  and  therefore  negligible.  The  lists  L\  and  L2  are  always  of  size  2Ara.  Therefore 
the  memory  complexity  is  0(2Xn). 
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Query  Complexity.  The  computation  of  the  public  permutations  are  all  done 


in  steps  LD4.1  and  LD4.2  to  build  lists  of  size  2  .  We  pass  through  this  step 


at  each  loop  meaning  that  the  total  offline  query  complexity  is: 

2n-Xn  2n 

An  An 


Q  =  2 


An 


Time  Complexity.  Again,  computations  of  the  matrices  in  step  LD2  are  essen¬ 
tially  polynomial  in  n  so  negligible.  Step  LD4.3| performs  right-multiplications 
on  large  matrices  and  step  |LD4.4|  is  about  sorting  and  merging  which  makes 
those  steps  linear  given  that  the  merged  list  is  of  reasonable  size.  Here  we  have 
a  partial  collision  on  n  bits  with  probability  2~n  therefore  there  will  be  around 
22A n  ■  2~n  =  22Xn~n  partial  collisions  that  is  less  than  the  size  of  the  lists  (2Xn) 


therefore  step  LD4.4  has  also  a  linear  cost.  The  computational  time  complexity 


is  therefore  also  led  by  the  query  complexity  that  is  T  = 


Acceptable  Range.  Notice  that  the  previous  reasoning  to  derive  the  time 
complexity  is  only  applicable  when  we  do  need  more  than  one  loop  to  finish  the 
algorithm  as  it  makes  no  sense  to  multiply  by  half-a-round.  So  all  those  trade-off 
depending  on  A  are  constraints  by: 


2n~Xn  ,  W(  2"  In  2) 

— - >1«A< 

An  n  In  2 


(using  the  Lambert  W  function) 


_  In(nln2)  + 
n  in  2 


Discussion.  This  attack  works  in  the  KPA  setting  as  we  only  need  to  observe 
pairs  of  plaintext/ciphertext,  and  we  need  to  observe  surprisingly  few  of  them, 
An  pairs  are  sufficient. 

The  memory  requirement,  0( 2Xn),  can  also  go  quite  low  as  we  choose  the 
parameter  A  but  this  comes  at  the  cost  of  no  pre-computation  possible  as  we  need 
the  transformation  matrix  to  get  the  right  inputs  to  the  public  permutations. 

The  computational  time  complexity  T  =  2™ /A n  compares  well  with  previous 
cryptanalysis  done  on  this  subject.  So  far  there  were  no  key  recovery  attack  on 
2EM  with  a  better  asymptotic  complexity  than  0(2n /n). 

In  the  information  theoretic  model,  trade-off  between  D  and  Q  is  important  as 
a  designer  can  always  arbitrarily  limit  the  maximum  value  of  D  by,  for  example, 
rekeying  in  order  to  achieve  a  certain  security  goal.  In  this  regard,  this  algorithm 
has  a  better  trade-off  between  the  data  and  query  complexity  than  the  best 
known  generic  distinguisher  by  Gazi  [T3]  that  has  the  trade-off  DQ 2  =  22". 
Here  DQ 2  =  22n/A n  thus  being  the  best  known  key  recovery,  and  also  the  best 
distinguisher,  for  the  acceptable  range  of  An. 

In  fact  the  proof  by  Chen  et  al.  [5]  says  nothing  for  low-data  range  D  <  2™/4 
and  the  best  proof  is  therefore  inherited  from  the  original  one  round  Even- 
Mansour  scheme  that  lower-bounds  the  trade-off  with  DQ  >  2n.  Gap  between 
the  best  known  distinguisher  and  the  proof  in  this  range  is  still  an  open  problem 
but  Algorithm  LD,  which  has  the  trade-off  DQ  =  2n  — and  also  DT  =  2n  — for 
any  A,  proves  for  the  first  time  the  optimality  of  the  original  proof  of  the  trade-off 
between  D  and  Q  for  the  acceptable  range  of  A  that  is  for  1  <  D  <  W^n^2'  ■ 
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Previous  Work.  We  can  see  this  cryptanalysis  as  an  advanced  version  of  the 
attack  by  Dinur  et  al.  using  linear  algebra  [5]  Section  4.2].  We  can  list  three  main 
differences  that  make  this  attack  an  improvement  over  the  previous  one.  First, 
as  already  mentioned  in  Section  |2.3|  we  use  the  symmetry  between  E,  Pi ,  P2 
to  reduce  the  data  complexity  from  2"/ A n  to  An.  Then  the  use  of  the  big 
transformation  matrix  M ,  that  essentially  performs  a  Gaussian  elimination  over 
the  whole  2n-bit  words,  makes  the  attack  works  with  known  plaintexts  while 
Dinur  et  al.  required  chosen  plaintexts  (even  after  applying  the  symmetry  trick). 
Finally,  the  resulting  n-bit  filter  of  step  LD4.4|  allows  for  a  larger  acceptable 
range  of  A  than  the  previous  attack  that  needed  A  <  1/3  to  limit  the  number  of 
partial  collisions. 


5  Extension  to  r  rounds. 

The  approach  can  be  generalized  to  attack  multiple  rounds.  In  fact  the  crypt¬ 
analysis  of  a  single  key  r-round  EM  scheme  can  be  written  as  a  (r  +  l)-XOR 
problem  with  words  of  size  rn.  Even  though  for  r  >  4  generic  algorithms  won’t 
directly  provide  interesting  attacks  with  competitive  computational  complexity, 
this  elegantly  rewrites  the  known  generic  distinguisher  on  rEM  and  may  be  a 
good  start  to  look  for  dedicated  cryptanalysis. 


xo  x± 


Pi  -Pi(a:i)— >©-£2 


P2  ~P2{X2)  Xr 


Pr  -Pr(Xr)^®^E(x0) 


Fig.  5.  A  right  tuple  gives  a  path  of  rEM 


Definition  3  (fc-XOR  problem).  Given  k  functions  /o,  fi,  fh  •  fk<  find  k 
inputs  (x0,xi,x2,  ■■■,Xk)  such  that  f0(x 0)  ®  /i(xi)  ®  /2(x2)  ®  ...  ®  fk(xk)  =  0. 


but  for  the  r-round  EM,  Figure [5]  and  look  for  an  (r  +  l)-tuple  (xq,xi,  ... ,xr ) 
satisfying  the  generalized  relation  1Z: 


Extended  Relation.  To  see  that  we  follow  the  same  reasoning  as  in  Section  2.2 


{x0  (B  Xi  =  k 

Pi(xi)  ffi  xi+i  =  k,  1  <  i  <  r  -  1  (4) 

Pr(Xr)  ®  E(x o)  =  k 

!Xq  ®  Xi  =  Pi(xi)  ffi  x2 

Pfixf)  ffi  xi+i  =  Pi+i{xi+i)  ffi  xi+2 ,  1  <  i  <  r  -  2 

Pr_i(a;r_i)  ffi  xr  =  Pr(xr)  ffi  E(xo) 

(5) 
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Again  we  cannot  directly  observe  1Z  but  we  can  observe  the  implied  relation  [5] 
which  is  an  rn-bit  filter  and  is  enough  so  that  a  random  (r  +  l)-tuple  satisfying 
Filter  [5]  is  a  right  tuple  with  good  probability. 

Define  Lists.  Now  we  can  define  r  +  1  lists  of  r  n-bit  entries  such  that  solving 
the  (r  +  l)-XOR  problem  on  those  lists  over  all  entries  trivially  gives  a  solution 
to  [5] 


X0 

,h  = 

1 

'  Xi 

®  Pl(xi) 

,h  = 

1 

L0[h)  :=  < 

° 

,2< 

h  <  r 

-  1 

Li[h]  := 

* 

(®l) 

,h  = 

2 

E(x°) 

,h  = 

r 

1° 

,  h  > 

3 

0 

,h<i 

-  2 

Xi 

,h  =  i 

-  1 

'o 

,  h  < 

r  —  2 

Li[h }  :=  < 

Xi  ®  Pi( 

Xi) 

,h  =  i 

Lr[h]  :=  < 

Xr 

,h  = 

r  —  1 

2<i<r—  1 

Pi{Xi) 

,h  =  i 

+  1 

1 

K Xr 

®  Pr(xr ) 

,h  = 

r 

0 

,h>  i 

+  2 

see  example  for  r  =  5  in  Table  [3]  Thus  this  indeed  defines  an  (r  +  l)-XOR 
problem  with  rn-bit  words  even  though  it  is  more  structured  than  the  purely 
random  fc-XOR  problem.  Upon  its  resolution  we  have  a  successful  key  recovery 
with  good  probability  when  guessing  k  =  Xg  ®  X\. 


Table  3.  Cryptanalysis  of  5EM. 


Lists’  construction  for 

a  cryptanalysis  using  the  6-XOR  problem. 

Lq  B  { 

*0 

E{x  0)} 

Li  9  { 

xi  ®  Pi  (an) 

Pi(®i) 

■  } 

L2  B  { 

x2 

X2  ©  P2(*2)  P2(X2) 

■  } 

l3  B  { 

x3  x3®P3(x3)  P3(x3) 

■  } 

f  4  3  { 

X4  X4  ®  Pi(a:4) 

P4(a44)} 

l5  B  { 

x5 

*5  ®  Ps(x5)} 

Generic  Cryptanalysis.  Even  though  the  problem  is  structured  this  allows  us 
to  use  generic  algorithms  for  the  fc-XOR  problem  to  perform  a  cryptanalysis.  With 
purely  random  functions  it  is  known  that  the  lower  bounds  of  queries  for  the  the 
rn-bit  words  (r  +  l)-XOR  problem  is  0( 2^+1).  Interestingly  this  exactly  coincides 
with  the  lower  bound  queries  for  the  single  key  r- round  Even-Mansour  scheme  [3] . 
Using  generic  algorithms  allows  a  cryptanalysis  using  D  =  Q  =  0(  2?+T)  therefore 
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being  optimal  in  query  complexity.  In  fact  the  approach  can  be  thought  as  similar 
to  the  simple  known  distinguisher  but  instead  of  looking  for  contradictory  paths 
we  directly  look  for  a  correct  path  (that  implies  a  right  tuple)  and  guess  the  key. 

Limitation.  The  computational  time  complexity  of  generic  algorithms  by  Wag¬ 
ner  for  this  problem  is  T  =  0(r  ■  2  Li°g(r+nj+i )  gO].  For  r  =  2  and  3  rounds  this 
is  just  0(2")  and  we  could  improve  from  there  in  the  2EM  case.  For  the  3EM 
case  Dinur  et  al.  [9]  showed  that  we  can  have  a  complexity  below  0(2")  using 
multicollisions  and  while  it  is  fairly  straightforward  to  rewrite  the  same  attack  in 
the  4-XOR  context  it  is  also  non-trivial  to  improve  this. 

On  the  other  hand  the  complexity  is  way  over  2"  for  r  >  4  rounds.  Therefore 
this  is  mainly  an  information  theoretic  attack.  However  the  lists  here  have  a 
strong  structure,  see  Table  [3]  with  many  bits  to  0  which  opens  the  question  of  a 
dedicated  algorithm  with  competitive  computational  time/memory  trade-off. 

6  Conclusion 

In  this  paper  we  presented  a  3-XOR  approach  to  key-recovery  attacks  on  single¬ 
key  two-round  Even-Mansour.  That  allows  us  to  gain  a  better  understanding  of 
previous  works  and  devise  competitive  algorithms  using  linear  algebra  techniques 
that  have  been  initially  developed  for  the  random  3-XOR  problem. 

These  attacks  have  a  particularly  interesting  data  and  memory  complexities.  In 
particular,  we  give  the  first  attacks  where  both  the  data  and  memory  complexity 
are  below  0(2"_e)  for  e  >  0,  while  achieving  the  best  known  time  complexity 
of  0(2"/n).  Previous  attacks  with  a  similar  time  complexity  required  either  a 
very  large  memory  or  very  large  data,  making  them  unlikely  to  be  useful  in 
practice.  We  also  give  an  attack  that  improves  the  asymptotic  time  complexity 
to  0(2"  •  In 2(n)/n2),  although  it  is  not  applicable  for  practical  values  of  n.  As 
another  interesting  result,  we  show  a  very  low-data  attack  that  beats  the  best 
known  distinguisher,  and  actually  matches  the  proven  lower  bound  for  single 
round  Even-Mansour  construction,  with  DT  =  2". 

All  those  attacks  are  shown  on  the  2EM  construction  with  no  key  schedule 
and  independent  permutations,  but  we  prove  that  an  attack  on  this  variant  of 
2EM  leads  to  an  attack  on  the  more  general  2EM  with  a  linear  key  schedule. 
Additionally  we  show  that  the  2EM  construction  has  an  implicit  symmetry  that 
allows  to  blindly  swap  the  number  of  calls  one  makes  to  each  oracle  during  an 
attack;  this  automatically  allows  new  trade-offs  between  the  parameters. 

Iterated  Even-Mansour  schemes  are  idealized  SPN  networks  and  understand¬ 
ing  their  security  is  important  because  many  block  ciphers,  including  the  AES, 
are  based  on  this  design.  In  this  work  we  focused  on  the  two-round  construction 
linking  it  to  the  3-XOR  problem  such  that  a  future  improvement  of  the  random 
3-XOR  algorithms  will  improve  our  cryptanalysis.  But  we  can  also  extend  this 
approach  to  r- round  constructions  and  the  (r+  l)-XOR  problem  with  a  particular 
structure.  We  detail  this  link  in  Section [5] but  additional  work  is  required  to  build 
competitive  key-recovery  attacks  from  that. 
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